Office 365 is a strong solution for enterprises and employees are moving faster onto the cloud via different types of devices including desktop/tablets/pads/mobile. In this regard, it’s very important to protect valuable enterprise information, not only inside the organization but outside the organization as well when employees are allowed to work with company data on mobile devices/tablets. In order to do so, Microsoft introduced Mobile Device Management (MDM) capabilities and has rolled out MDM in all Office 365 commercial plans. These capabilities are now supported for Windows, iOS and Android phones to control information via different apps like Outlook, Word, Excel, PowerPoint, OneDrive, etc.

MDM capabilities for Office 365

Built in Mobile Device Management in Office 365 provides key benefits to control and secure an organization’s information. It also gives flexibility and guidance to choose the best solution per the organization’s needs.

Access. MDM lets you set options that determine whether a particular user can bring their Office 365 data from the cloud to their mobile device. You can use this capability to configure settings for users who have MDM-compatible devices. The Access options let you set:

Criteria for mobile devices connected to Office 365

Device access policies such as pin lock

Data encryption on devices

Jailbreak detection

Blocking non-compatible devices

Control. Use MDM options to control devices via a built-in management console with PowerShell or create group policies for devices.

Wipe. In case of loss of mobile/employee account deletion within the organization, the Wipe feature deletes data from a user’s mobile device that is protected by MDM but not the user’s own personal data.

Report. This feature provides reports on following:

Device compliance reports

Mobile usage and trends in the organization

API support (coming, not available yet)

Microsoft Intune. MDM for Office 365 makes a subset of Microsoft Intune features available (figure 1), which gives administrators more sophisticated control for aligning with corporate data policies and a user’s personal data on their devices. You can read a detailed TechNet article about Intune capabilities for MDM in Office 365 here. Microsoft Intune gives administrators the ability to restrict actions such as cut, copy, paste and save as to other applications that keeps corporate data more secure.

Figure 1: Mobile Application Management with Microsoft Intune

How to configure MDM in Office 365

As a Global Administrator, you must do the following tasks to configure Mobile Device Manager for Office 365:

Activate MDM from the Office 365 Admin Center and then click the Get Started button to set up MDM, including required steps such as the setup of APN certificates/domain settings.

Figure 2: Set up MDM for Office 365

Create and deploy devices security policies from compliance center for specific security users/group of users. This device policy provides a wide range of administrative options to manage security such as device-level pin lock, jailbreak detection, etc., as well as additional configuration options as indicated in figures 3 and 4, which will be deployed to specific security group of users.

After an administrator has configured Microsoft Device Manager for Office 365, users must enroll each device that they want to use to access company resources with that company’s Office 365 tenant. When a user signs into MDM using a compatible Office 365 mobile device, Office 365 verifies whether the device is enrolled—if not, then it notifies the user to enroll the device (figure 5).

Enroll the device to MDM compatible Office 365 tenant.

Figure 5: Mobile device enrollment notification

Note: If a user tries to access their corporate email configured by Office 365 via a mobile device for the first time, they receive an email with a specific set of instruction to enroll the device. If you want to see the whole enrollment notification cycle, view this.

As soon as the user finishes the steps to enroll the device and if security policy requires that users set a passcode configured via MDM in the Office 365 tenant, then the user is notified as indicated (figure 6) to set the passcode.

When users access Office 365 data from mobile devices, they are directed to sign into Azure Active Directory, and by doing so, users send both their user credentials and device credentials to be validated by Azure AD. If the conditional policies are satisfied, then the client is granted a token to access Office 365.

As employees keep accessing business data through mobile devices, global administrators can use MDM for Office 365 to perform the following tasks:

Block devices that are not supported from accessing email using ActiveSync

Check lists of blocked devices

Unblock non-compliant devices for user or groups

Generate reports to review compliant and non-compliant devices

Conclusion

Office 365 is all about productivity and MDM helps organizations to improve productivity by allowing employees to work on mobile devices outside of the organization while protecting company data. MDM policies can also prevent copy and paste from managed applications into personal applications. Moreover, device polices give organizations more access to control different group of users. For example, using MDM you can give more control to members of the finance team but less control to members of the sales team.

Such simplified administrative process by MDM is really a great change in Office 365 in terms of productivity and security. I believe that Microsoft will add more MDM-compatible apps apart from Office apps in later releases.This article also has been published at ITUNITY

Dipti Chhatrapati

Dipti Chhatrapati is a SharePoint specialist currently working as a Senior Consultant for CapGemini in Mumbai, India. She has more than 9 years of experience in application development, design, maintenance, administration and is continuously working with improving her skills and keeping them up to date. As a developer, project leader and SharePoint Business Analyst, she has been an extensive user of Visual Studio and Team Foundation Server throughout her career. Dipti is very passionate about music, sports, and arts and loves to spend her free time learning new things, socializing with friends and family, cooking, exercising and singing.

Leave a Reply

Be the First to Comment!

Notify of

Notify of new replies to this comment

Notify of new replies to this comment

Dipti Chhatrapati

SharePoint Enthusiast and Ambitious consultant with experience in all aspects of software life cycles, including Analysis, Design, Development, Testing and Support, functioning in various roles like Business Analyst,Solution Architect,Technical Lead and Developer.Working continuously to improve my skills and keep them up to date. Willing to accept roles and responsibility with challenging tasks in the SharePoint technologies.

AbuonMicrosoft Graph API – A SIngle Stop For Your Cloud SolutionHi Dipti Many thanks for your contribution in to MS Office Graph. A very comprehensive explanation. The bit I'm confused with is the bulkiness of it all - I downloaded the samples but they come with some serious chunks of other stuff. Previously, using REST API in JavaScript, you were able to do a quick call and return the response for manipulation quite rapidly. I haven't seen a simple demo of that anywhere. I want to be able to display OneDrive files in a SP page - but not getting anywhere usi…